No announcement yet.

Deploying AD for small business

  • Filter
  • Time
  • Show
Clear All
new posts

  • Deploying AD for small business

    Hello everyone, thank you for taking the time to read this post.

    We are a relatively small country in the US. We have about 150 employees in 10 offices nationwide. We currently have a separate AD for Exchange and one for Terminal Services. We are doing some IT restructuring, and I would appreciate any advice you guys can give me. We would like to have one central DC with AD, to control the following 3 things:

    1. Exchange Server
    2. Terminal Services
    3. Roaming Profiles

    In addition to allowing our users access to Terminal Services for a specific CRM app that we use, we would also like to lock down the computers in each individual office using a domain (right now each user runs his own administrator account on his personal computer - no domain). We want to VPN all the offices together (router-based) and then have each user log into his computer on one global domain for everyone.

    I would like to know if anyone can guide me on how to set this up. My questions include:

    1. What type of hardware should the AD be running on (we use Dell, and I would like to use a PowerEdge server)?

    2. How many AD machines do we need?

    3. Do we need a separate Domain Controller in each office, or is one DC in the Data Center good enough?

    4. Can we run other services on the DC like Terminal Services, or does the machine need to be dedicated only to AD?

    5. Should we be setting up roaming profiles for the users, or should they each be storing their profile on the local computer?

    6. How can we create separate profiles for them when they connect to their local desktop, and for when they connect to the Terminal Server?

    Thank you so much for any info you can give me that will help me with this setup.


  • #2
    Re: Deploying AD for small business

    You are a small country in the US? Not possible, but let's get to your questions just the same

    The way you worded your question makes it sounds like it's from the 70-219 exam. LOL

    You are definitely doing the right thing here. For 1 company with 10 sites there little need for multiple domains.

    1. AD runs on Pentium class hardware. You can follow Microsoft's hardware requirements and recommendations, as well as following their HCL. I would recommend a minimum of 256MB of RAM for a DC. Even more for Global Catalog servers. Virtual servers such as those that run on VMware and Microsoft virtualization platforms make good domain controllers IMO so do check that out.

    2. One piece that you left out is how your 10 nation wide offices are connected from a WAN link perspective. We need an idea of how well connected your offices are and we also need to know what your requirements are for uptime and domain availability. The more availability you require at each of your offices, the more domain controllers and DNS servers and Global Catalogs we need to deploy. Need more info to answer this question.

    3. Same as #2

    4. Running Terminal Services in application mode on a domain controller is not advised. Assume that you will need dedicated servers to function as domain controllers (whether physical or virtual) and assume dedicated servers for Terminal Services. You don't want users logging on to your domain controller running applications or you risk your AD infrastructure as well as data security.

    5. Ties in to #2. WAN link speed, location and size of roaming profiles will be a deciding factor. What is the purpose for roaming profiles? Will users be traveling from office to office? Are you trying to deploy mandatory profiles? Need more background information here in order to make an informed decision.

    6. User profiles and Terminal Services profiles are two different things and can be individually specified on the property sheet of the user account object. See the two attachments in this post.

    You didn't mention the location of the Exchange server(s). That will play into the equation.

    Attached Files
    Last edited by jasonboche; 23rd June 2006, 03:46.
    VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+ - VMware Virtualization Evangelist
    My advice has no warranties. Follow at your own risk.


    • #3
      Re: Deploying AD for small business

      Thank you Jason for taking the time to share your expertise. As you can see, I don't know too much about all this, and I'll answer as much as possible to the questions you asked me.

      Firstly, you are correct, we are not a small country in the US. Must've been a typo. Although I wouldn't mind being my own country

      Let's go through the questions one by one.

      1. We don't want to get a computer with only 256MB of RAM even though that is the minumum. We will get a regular server - but they run very expensive. Are you saying that we don't need dual processors or dual core or anything fancy like that, and the basic server would be fine for us? Also, would you recommend RAID mirroring or striping for the hard drives, or is it really not necessary? I think at this point I'd rather not do VMWare, as I heard it gets expensive.

      2. To explain how our offices are set up: Each office is connected to the internet via a standard cable or DSL line, or sometimes both. One of the offices has a T1 coming into it. We plan on VPN'ing the offices together using router-based VPN, not anything fancy like point-to-point T1. Right now each user logs in with a local administrator account to his computer. We therefore had a very big problem with keeping track of everyone, and also users were installing viruses and spyware onto their computer. We had no idea if the anti-virus software we were using was updated or not, and sometimes we found that no antivirus software was installed at all. We figure that with AD and a real domain, each user logs in to the domain and not a local account, and therefore we can lock it down much better, and have easier control over each users computer. Among the options we heard were as follows:

      a. Domain Controller in each office with
      i. Roaming profiles stored on that local DC, and replicated to all the other DC's so that a user can access his roaming profile no matter what office he's in
      ii. Roaming profiles store on the local DC with no replication, and any user will be able to log in to any other office, but will not receive his local desktop, rather it will create for him a new roaming profile on that other local DC
      b. Central Domain Controller with Roaming Profiles stored on it. We probably don't want to do this since every time someone logs on or off it would have to transfer all their data over the DSL or cable connection.
      c. Just use AD with no roaming profiles, and each user's desktop is stored on that local computer.

      It is not so necessary for users to have their desktop no matter where they are, and the truth is we may not even need users to have their roaming profile on the local DC, but it would be nice to have it that way in case a users system crashes and he needs to move to another computer.

      The real original question was whether or not we need a redundant AD machine in the Data Center, or is one machine enough? If we have DC's in each office and the main AD machine crashes, will it replicate when we replace it? Or should we just make a backup of the AD onto an external hard drive and hope for the best? How would you do it if you were a company of my size?

      3. Same as above

      4. Thank you. We will make sure to keep Terminal Services and our apps on a separate server as the AD.

      5. See #2 and let me know what you think is the best way to go.

      6. Thanks for the info. That helps a lot since we would like to lock down the terminal services profile a lot more than the regular roaming profile. But can users have 2 different Group Policies based on whether their logging into their desktop or into the Terminal Server? For example on the TS we would not want them creating any new icons on the desktop, and the start menu will only have a few icons, but on their local desktops we want to allow them much greater access.

      As far as my exchange server is concerned, it will be on the same rack in the same data center as my main AD machine, my Terminal Services machine, and my SQL server etc. We do not plan on having multiple Exchange servers in each local office, but we would consider having 2 exchange servers in a cluster for redundancy and failover.

      Thanks so much for your help. It is greatly appreciated.


      • #4
        Re: Deploying AD for small business

        1. You don't need a real powerful server for a domain controller role unless your domain controllers were performing authentication and other domain controller duties for a large infrastructure of tens of thousands of employees. For a smaller company with less than 500 employees, you should be able to get by with bare bones hardware but in your case you may need several domain controllers and DNS servers for multiple sites. Surely though you don't need to be looking at quad processor or even dual core servers (although they are nice if you have the budget). Also, when I say go cheap, I don't mean that you should leave out redundancy. Redundancy and fault tolerance are important. If you're forced to buy a medium to large size box and it ends up being way under utilized, virtualization helps you make much more use of existing hardware.

        2. If all your sites are connected via broadband VPN, every site will require an Active Directory Site, particularly if you plan on placing domain controllers at the site. Ideally you should count on placing 2 DC and DNS server at each site. Microsoft recommends 2 for fault tolerance but if your business would accept slow logons and active directory queries to save money on server hardware, you could stick with 1 DC or maybe even 0 DCs at each site. Just understand that with 0 DCs, AD logon will need to occur over the VPN connections to another DC in another site. If users will be logging on using UPN logons, you'll also need to make sure global catalog servers are available at each site even if a site link is down or at a minimum, universal group membership caching is operational at each site. If a site VPN connection is down, users won't be able to log on and they will likely be having a multitude of other problems as well such as data, applications, email, and roaming profiles not being available.

        a. Ok, good, it sounds like you're already committing to 1 DC per site. That will facilitate some of what I talked about above. Now what about 2 DCs per site for redundancy?

        i. I think roaming profiles won't be a real great idea given your site connections. Users will save files to their desktop which will add to the size of their roaming profiles. If a user saves a 50MB media file to his desktop, that's 50MB that his profile just grew and will need to get replicated to servers in all other sites. Why should all the users in the 9 other sites suffer because of this person's ballooning profile? I've seen profiles much worse than what I explained so in a way I'm sugar coating it. A better solution might be mandatory profiles where you provide the user with the necessary applications. Data is stored on their "home" server which is at their normal site.

        b. Not a great idea unless you made the profiles mandatory and you trimmed the fat. You would have logon duration complaints from users with medium to large profiles. Mandatory profiles are read only and thus garbage that users copy to their desktop won't get saved to the profile when the user logs off.

        c. I like this the best. With your office broadband links, user profiles just don't fit in my opinion.

        Choosing the right number of domain controllers is a double edged sword. Too few domain controllers and you're at risk if you lose a DC. Perhaps logons become slow or don't work at all. Too many domain controllers and replication traffic starts taking over your network bandwidth. Sites, links, and costs must all be dealt with. Not to mention increasing server count increases server count (think patching, vulnerabilities, attack surface, licensing, etc.).

        6. Yes, you can get very detailed on Terminal Services/Citrix policies. This is an area where loopback processing of GPOs comes in handy.

        This is quite a bit of data to absorb and massage. You should make a site diagram and map this all out or we'll likely miss some things. 50% or more of AD implementation is planning the infrastructure. The remainder is the actual technical implementation. Plan on spending a lot of time mulling this information over.

        If you'd like, I can start out a diagram with Microsoft Visio to see what this is looking like.

        VCDX3 #34, VCDX4, VCDX5, VCAP4-DCA #14, VCAP4-DCD #35, VCAP5-DCD, VCPx4, vEXPERTx4, MCSEx3, MCSAx2, MCP, CCAx2, A+ - VMware Virtualization Evangelist
        My advice has no warranties. Follow at your own risk.